Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Millions of Records Exposed in Veeam Misconfigured Server

Hundreds of millions of records were exposed after a MongoDB server belonging to disaster-recovery firm Veeam was left misconfigured, researchers found.

The open server contained a 200-gigabyte database with millions of records. Researcher Bob Diachenko, who discovered the misconfiguration, said he was able to access the open server sans password on Sept. 5 – and that it was left publicly searchable and wide open until Sept. 9.

That database contained “marketing data, more than 440 million records mostly consisting of names, email addresses and IP addresses… Some may be duplicates,” Diachenko told Threatpost on Tuesday. That includes data like customer’s first and last name, email, email recipient, country and customer organization size.

More recently, on Thursday, Veeam co-CEO and President Peter McKay stressed in a post that the incident has been resolved and due to duplicate records, the figure of exposed unique emails was actually closer to 4.5 million, as opposed to the 440 million previously reported by researchers.

“During some maintenance of our network, this single marketing database containing marketing records (that may include names, e-mail addresses and IP addresses) was left visible and exposed due to human error,” he said in the post. “While the database was not easily accessible, it was visible to unauthorized third parties. Once we validated the issue, we took immediate action to properly secure the database.”

The data seemed to be used by Veeam’s marketing automation team to reach their customers using their Marketo solution – a tool focused on account-based marketing through email, social or mobile, said Diachenko in a post about the incident. The data is part of Veeam’s marketing server infrastructure.

The data’s dates of creation and updates span a four-year period, from 2013 to 2017.

“Based on the collection names and analysis of data in the database, my first guess was that database originated from Marketo server, so I also sent security notifications to their email addresses,” said Diachenko. “However, upon further analysis I came to conclusion that data was part of Veeam marketing server infrastructure, rather than Marketo.”

Diachenko said that shortly after a security notification was sent by him – and by TechCrunch – to Veeam about the exposed server, the database was secured. However, he said he hasn’t heard of any official word back from the company.

A Veeam spokesperson told Threatpost via email: “It has been brought to our attention that one of our marketing databases, leaving a number of non-sensitive records (i.e. prospect email addresses), was possibly visible to third parties for a short period of time. We have now ensured that ALL Veeam databases are secure. Veeam takes data privacy and security very seriously, and a full investigation is currently underway.”

It’s certainly not the only MongoDB, Hadoop or CouchDB installation that’s ever been exposed – in July, researchers discovered another misconfigured repository bucket leaking the information of U.S. voters. The information was exposed on a public Amazon S3 bucket by a Virginia-based political campaign and robocalling company called Robocent.

In April, a leaky Mongo database made public the personal information of 25,000 investors tied to the Bezop cryptocurrency. And in March, a Walmart jewelry partner’s’ misconfigured AWS S3 bucket left personal details and contact information of 1.3 million customers in plain sight.

“Until companies learn to employ security measures across the board, this kind of exposure is going to keep happening,” Francis Dinha, CEO and co-founder of OpenVPN, told Threatpost. “We call it a ‘leak,’ but even that word shows how little we understand the risk of poor cyber security. In this case, ‘leak’ meant the exposure of millions upon millions of customer emails. In order to really prevent these kinds of security breaches, each individual employee needs to be educated on the importance of cyber security and the specific strategies you expect them to implement.”

These exposed servers risk putting customers’ private data or credentials in the hands of attackers to use – at the very least – for phishing attacks, or worse.

“Even taking into account the non-sensitivity of data, the public availability of such large, structured and targeted dataset online could become a real treasure chest for spammers and phishers,” said Diachenko. “It is also a big luck that database was not hit by a new wave of ransomware attacks which have been specifically targeting MongoDBs (with much more extortion amount demand than it was last year).”

This article was updated on Thursday, Sept. 13 to reflect a new statement posted by Veeam’s co-CEO and president on the investigation into the matter and the number of unique emails involved.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.